Can't import PFX with CERTUTIL -- "Keyset does not exist"

2

We have a PFX file that when used on any other Windows system (Server 2008 R2, 7, 8) installs fine. On 2 of my servers, the import fails like so:

CertUtil: -importPFX command FAILED: 0x80090016 (-2146893802) CertUtil: Keyset does not exist

We originally imported this PFX use the MMC snap-in, which appears to work, as no errors are reported and the certificate shows that it has a Private Key when opened, but with our .NET application we were getting an error about not having the Private Key. We assumed Private Key permissions and added the correct permissions for our App Pool. This made no difference. We have imported and deleted several times trying to fix this.

We have now noticed that the size of the files added, when an import through MMC is performed, to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder was only 79kb on the servers that are not working when they are usually showing as being 2kb on systems where they do work.

I've done MD5 checks on the files so check they are the same (they were) and I have also copied them back from the system that wasn't working (the original copied file not an export) and that still works elsewhere.

Why would this be failing?

windows-server-2008-r2
iis-7.5
certutil
asked on Server Fault Feb 27, 2015 by neildeadman

1 Answer

0

Every Google search that we performed always returned the same basic answer, something relating to permissions of the Private Keys... but this was based on the error messages we were seeing.

Eventually we tracked the problem down after using WinHttpCertCfg.exe along with Process Monitor to log access to folders and the registry.

When one of our developers adding some test certificates, he also changed the security permissions on the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder so that IIS could access the Private Key of the certificates he'd imported, rather than granting permissions through the Certificates snap-in in MMC.

He only added a new permission and didn't change the existing ones, but this somehow broke the import of certificates. When the additional permissions were removed it started working again.

Very much doubt others will have this same issue, but thought it worthwhile to answer rather than delete or close the question as it might one day just help someone else out.

answered on Server Fault Mar 3, 2015 by neildeadman

User contributions licensed under CC BY-SA 3.0